From f2569c0e75c19a4d76344a6265d206a58463c267 Mon Sep 17 00:00:00 2001 From: Jose Carlos Venegas Munoz Date: Wed, 12 Apr 2017 23:08:25 +0000 Subject: [PATCH] clear-containers: Enable kernel security options used by moby Signed-off-by: Jose Carlos Venegas Munoz --- .../clear-containers/kernel/kernel_config | 64 ++++++++++++++----- 1 file changed, 47 insertions(+), 17 deletions(-) diff --git a/projects/clear-containers/kernel/kernel_config b/projects/clear-containers/kernel/kernel_config index 3434111af..b36e2f024 100644 --- a/projects/clear-containers/kernel/kernel_config +++ b/projects/clear-containers/kernel/kernel_config @@ -71,11 +71,14 @@ CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y -# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y # CONFIG_USELIB is not set -# CONFIG_AUDIT is not set +CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -153,14 +156,17 @@ CONFIG_ARCH_SUPPORTS_INT128=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y -# CONFIG_BLK_CGROUP is not set +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y -# CONFIG_CFS_BANDWIDTH is not set -# CONFIG_RT_GROUP_SCHED is not set -# CONFIG_CGROUP_PIDS is not set +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y +CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y -# CONFIG_CPUSETS is not set +CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y CONFIG_CGROUP_PERF=y @@ -203,7 +209,7 @@ CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y @@ -262,8 +268,8 @@ CONFIG_HAVE_GCC_PLUGINS=y CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set -CONFIG_CC_STACKPROTECTOR_REGULAR=y -# CONFIG_CC_STACKPROTECTOR_STRONG is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y @@ -283,7 +289,7 @@ CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_ISA_BUS_API is not set # CONFIG_CPU_NO_EFFICIENT_FFS is not set CONFIG_HAVE_ARCH_VMAP_STACK=y -# CONFIG_VMAP_STACK is not set +CONFIG_VMAP_STACK=y # # GCOV-based kernel profiling @@ -299,7 +305,8 @@ CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y -# CONFIG_BLK_DEV_INTEGRITY is not set +CONFIG_BLK_DEV_INTEGRITY=y +# CONFIG_BLK_DEV_THROTTLING is not set # CONFIG_BLK_CMDLINE_PARSER is not set # @@ -333,10 +340,12 @@ CONFIG_BLK_MQ_PCI=y CONFIG_IOSCHED_NOOP=y CONFIG_IOSCHED_DEADLINE=y CONFIG_IOSCHED_CFQ=y +CONFIG_CFQ_GROUP_IOSCHED=y CONFIG_DEFAULT_DEADLINE=y # CONFIG_DEFAULT_CFQ is not set # CONFIG_DEFAULT_NOOP is not set CONFIG_DEFAULT_IOSCHED="deadline" +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -707,6 +716,7 @@ CONFIG_IPV6_NDISC_NODETYPE=y # CONFIG_IPV6_FOU_TUNNEL is not set # CONFIG_IPV6_MULTIPLE_TABLES is not set # CONFIG_IPV6_MROUTE is not set +# CONFIG_NETLABEL is not set # CONFIG_NETWORK_SECMARK is not set CONFIG_NET_PTP_CLASSIFY=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set @@ -768,6 +778,7 @@ CONFIG_NETFILTER_XT_CONNMARK=y # # Xtables targets # +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set # CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set # CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set # CONFIG_NETFILTER_XT_TARGET_HMARK is not set @@ -859,6 +870,7 @@ CONFIG_IP_NF_NAT=y # CONFIG_IP_NF_TARGET_REDIRECT is not set # CONFIG_IP_NF_MANGLE is not set # CONFIG_IP_NF_RAW is not set +CONFIG_IP_NF_SECURITY=y # CONFIG_IP_NF_ARPTABLES is not set # @@ -1801,6 +1813,7 @@ CONFIG_FSNOTIFY=y CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set # CONFIG_QUOTA is not set # CONFIG_QUOTACTL is not set CONFIG_AUTOFS4_FS=y @@ -2098,12 +2111,26 @@ CONFIG_DEBUG_BOOT_PARAMS=y # Security options # # CONFIG_KEYS is not set -# CONFIG_SECURITY_DMESG_RESTRICT is not set -# CONFIG_SECURITY is not set -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY_DMESG_RESTRICT=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_SECURITY_PATH=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y -# CONFIG_HARDENED_USERCOPY is not set +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set +# CONFIG_SECURITY_SELINUX is not set +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_YAMA=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_AUDIT=y +# CONFIG_IMA is not set +# CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_CRYPTO=y @@ -2123,8 +2150,9 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y -# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set # CONFIG_CRYPTO_ECDH is not set CONFIG_CRYPTO_MANAGER=y @@ -2328,9 +2356,11 @@ CONFIG_HAS_DMA=y CONFIG_CPU_RMAP=y CONFIG_DQL=y CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y CONFIG_CORDIC=y # CONFIG_DDR is not set # CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y # CONFIG_SG_SPLIT is not set # CONFIG_SG_POOL is not set CONFIG_ARCH_HAS_SG_CHAIN=y